Implant Container Image
Adversaries may implant cloud container images with malicious code to establish persistence. Amazon Web Service (AWS) Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.
A tool has been developed to facilitate planting backdoors in cloud container images. If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell. Adversaries may also implant Docker images that may be inadvertently used in cloud deployments, which has been reported in some instances of cryptomining botnets.
Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software.
|Privileged Account Management||
Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege.
Monitor interactions with images and containers by users to identify ones that are added or modified anomalously.
- Rhino Labs. (2019, August). Exploiting AWS ECR and ECS with the Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019.
- Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019.
- Doman, C. & Hegel, T.. (2019, March 14). Making it Rain - Cryptocurrency Mining Attacks in the Cloud. Retrieved October 3, 2019.